Provenance Graph Modeling and Feature Enhancement for Power System APT Detection

The power system, as a critical national infrastructure, faces stealthy and persistent intrusions from Advanced Persistent Threat (APT) attacks. These attack chains span multiple stages and components, while heterogeneous data sources lack unified semantics, limiting the interpretability of current detection methods. To address this, we combine the W3C PROV-DM standard with power-specific semantics to map generic provenance data into standardized provenance graphs. On this basis, we propose a graph neural network framework that jointly models temporal dependencies and structural features. The framework constructs unified provenance graphs with snapshot partitioning, applies Functional Time Encoding (FTE) for temporal modeling, and employs a graph attention autoencoder with node masking and edge reconstruction to enhance feature representations. Through pooling, graph-level embeddings are obtained for downstream detection. Experiments on two public datasets show that our method outperforms baselines across multiple metrics and exhibits clear inter-class separability. In the context of scarce power-domain APT data, this study improves model applicability and interpretability, and it provides a practical path for provenance graph-based intelligent detection in critical infrastructure protection.